This section presents the KUMA normalized event data model. All events that are processed by KUMA Correlator to detect alerts must be compliant to this model.
Events that are not compliant to this data model must be imported into this format (or normalized) using Collectors.
Normalized event data model
Field name |
Field type |
Description |
AggregationRuleName |
Internal |
The name of the aggregation rule that processed the event. |
BaseEventIDs |
Internal |
IDs of events that triggered creation of the correlation event. |
Code |
Internal |
In a base event, this is the code of a process, function or operation return from the source. In a correlation event, the alert code for the first line support or the template code of the notification to be submitted is written to this field. |
CorrelationRuleName |
Internal |
It is filled in only for the correlation event. The name of the correlation rule that gave rise to the correlation event. |
ID |
Internal |
Unique event ID of UID type. The collector generates the ID for the base event that is generated in the collector. The correlator generates the ID of the correlation event. The ID never changes its value. You can search for the event in Storage using this ID. |
Raw |
Internal |
Text of the source "as is" event. |
Score |
Internal |
It is filled in for events that were processed by the triggered correlation rule. This is the priority of the identified <incident> that was specified in the correlation rule. |
ServiceAddress |
Internal |
IP address of the host on which the service is deployed. |
ServiceID |
Internal |
Identifier of a service instance: correlator, collector, storage. |
ServiceKind |
Internal |
Service type: correlator, collector, storage |
ServiceName |
Internal |
The name of the service instance that the KUMA administrator assigns the service when it is created. |
Tactic |
Internal |
Name of the tactic from MITRE |
Technique |
Internal |
Name of the technique from MITRE |
Timestamp |
Internal |
Timestamp of the base event created in the collector. Timestamp of the correlation event created in the collector. |
Extra |
Internal |
Used for mapping unparsed values during event normalization. |
TICategories |
Internal |
Threat intelligence categories that were received from external TI sources in response to receiving event indicators. |
DeviceVendor |
CEF |
Name of the log source producer. The value is taken from the raw event. The DeviceVendor, DeviceProduct, and DeviceVersion all uniquely identify the log source. |
DeviceProduct |
CEF |
Product name from the log source. The value is taken from the raw event. The DeviceVendor, DeviceProduct, and DeviceVersion all uniquely identify the log source. |
DeviceVersion |
CEF |
Product version from the log source. The value is taken from the raw event. The DeviceVendor, DeviceProduct, and DeviceVersion all uniquely identify the log source. |
DeviceEventClassID |
CEF |
Unique ID for the event type from the log source. Certain log sources categorize events. |
Name |
CEF |
Event name in the raw event. |
Severity |
CEF |
Error priority from the raw event. This can be a Severity field or a Level field, etc., depending on the log. |
DeviceAction |
CEF |
Action taken by the asset. The action that was taken by the producer of the log source. For example, blocked, detected. |
ApplicationProtocol |
CEF |
Application Level Protocol (HTTP, HTTPS, Telnet, and so on) |
DeviceCustomIPv6Address1 |
CEF |
Field for mapping the String type value that cannot be mapped to any other data model element. It can be used to process the logs of network assets where you need to distinguish between the IP addresses of various assets (for firewalls, etc.). The field is customizable. |
DeviceCustomIPv6Address1Label |
CEF |
Field for describing the purpose of the DeviceCustomIPv6Address1 field. |
DeviceCustomIPv6Address2 |
CEF |
Field for mapping the String type value that cannot be mapped to any other data model element. It can be used to process the logs of network assets where you need to distinguish between the IP addresses of various assets (for firewalls, etc.). The field is customizable. |
DeviceCustomIPv6Address2Label |
CEF |
Field for describing the purpose of the DeviceCustomIPv6Address2 field. |
DeviceCustomIPv6Address3 |
CEF |
Field for mapping the String type value that cannot be mapped to any other data model element. It can be used to process the logs of network assets where you need to distinguish between the IP addresses of various assets (for firewalls, etc.). The field is customizable. |
DeviceCustomIPv6Address3Label |
CEF |
Field for describing the purpose of the DeviceCustomIPv6Address3 field. |
DeviceCustomIPv6Address4 |
CEF |
Field for mapping the String type value that cannot be mapped to any other data model element. It can be used to process the logs of network assets where you need to distinguish between the IP addresses of various assets (for firewalls, etc.). The field is customizable. |
DeviceCustomIPv6Address4Label |
CEF |
Field for describing the purpose of the DeviceCustomIPv6Address4 field. |
DeviceEventCategory |
CEF |
The raw event category from the diagram of categorization of log producer events. |
DeviceCustomFloatingPoint1 |
CEF |
Field for mapping the Float type value that cannot be mapped to any other data model element. The field is customizable. |
DeviceCustomFloatingPoint1Label |
CEF |
Field for describing the purpose of the DeviceCustomFloatingPoint1 field. |
DeviceCustomFloatingPoint2 |
CEF |
Field for mapping the Float type value that cannot be mapped to any other data model element. The field is customizable. |
DeviceCustomFloatingPoint2Label |
CEF |
Field for describing the purpose of the DeviceCustomFloatingPoint2 field. |
DeviceCustomFloatingPoint3 |
CEF |
Field for mapping the Float type value that cannot be mapped to any other data model element. The field is customizable. |
DeviceCustomFloatingPoint3Label |
CEF |
Field for describing the purpose of the DeviceCustomFloatingPoint3 field. |
DeviceCustomFloatingPoint4 |
CEF |
Field for mapping the Float type value that cannot be mapped to any other data model element. The field is customizable. |
DeviceCustomFloatingPoint4Label |
CEF |
Field for describing the purpose of the DeviceCustomFloatingPoint4 field. |
DeviceCustomNumber1 |
CEF |
Field for mapping the integer value that cannot be mapped to any other data model element. The field is customizable. |
DeviceCustomNumber1Label |
CEF |
Field for describing the purpose of the DeviceCustomNumber1 field. |
DeviceCustomNumber2 |
CEF |
Field for mapping the integer value that cannot be mapped to any other data model element. The field is customizable. |
DeviceCustomNumber2Label |
CEF |
Field for describing the purpose of the DeviceCustomNumber2 field. |
DeviceCustomNumber3 |
CEF |
Field for mapping the integer value that cannot be mapped to any other data model element. The field is customizable. |
DeviceCustomNumber3Label |
CEF |
Field for describing the purpose of the DeviceCustomNumber3 field. |
BaseEventCount |
CEF |
For a correlation event, this is the number of base events that were processed by the correlation rule that generated the correlation event. |
DeviceCustomString1 |
CEF |
Field for mapping the string value that cannot be mapped to any other data model element. The field is customizable. |
DeviceCustomString1Label |
CEF |
Field for describing the purpose of the DeviceCustomString1 field. |
DeviceCustomString2 |
CEF |
Field for mapping the string value that cannot be mapped to any other data model element. The field is customizable. |
DeviceCustomString2Label |
CEF |
Field for describing the purpose of the DeviceCustomString2 field. |
DeviceCustomString3 |
CEF |
Field for mapping the string value that cannot be mapped to any other data model element. The field is customizable. |
DeviceCustomString3Label |
CEF |
Field for describing the purpose of the DeviceCustomString3 field. |
DeviceCustomString4 |
CEF |
Field for mapping the string value that cannot be mapped to any other data model element. The field is customizable. |
DeviceCustomString4Label |
CEF |
Field for describing the purpose of the DeviceCustomString4 field. |
DeviceCustomString5 |
CEF |
Field for mapping the string value that cannot be mapped to any other data model element. The field is customizable. |
DeviceCustomString5Label |
CEF |
Field for describing the purpose of the DeviceCustomString5 field. |
DeviceCustomString6 |
CEF |
Field for mapping the string value that cannot be mapped to any other data model element. The field is customizable. |
DeviceCustomString6Label |
CEF |
Field for describing the purpose of the DeviceCustomString6 field. |
DestinationDnsDomain |
CEF |
The DNS domain portion of the complete fully qualified domain name (FQDN) of the destination, if the raw event contains the values of the traffic sender and recipient. This is used to process network traffic logs in which you need to be able to distinguish between the source and destination. |
DestinationServiceName |
CEF |
Service name on the traffic recipient's side. For example, "sshd". This is used to process network traffic logs in which you need to be able to distinguish between the source and destination. |
DestinationTranslatedAddress |
CEF |
IP address of the traffic recipient asset (after the address is translated). This is used to process network traffic logs in which you need to be able to distinguish between the source and destination. |
DestinationTranslatedPort |
CEF |
Port number on the traffic recipient asset (after the recipient address is translated). This is used to process network traffic logs in which you need to be able to distinguish between the source and destination. |
DeviceCustomDate1 |
CEF |
Field for mapping the Timestamp type value that cannot be mapped to any other data model element. The field is customizable. |
DeviceCustomDate1Label |
CEF |
Field for describing the purpose of the DeviceCustomDate1 field. |
DeviceCustomDate2 |
CEF |
Field for mapping the Timestamp type value that cannot be mapped to any other data model element. The field is customizable. |
DeviceCustomDate2Label |
CEF |
Field for describing the purpose of the DeviceCustomDate2 field. |
DeviceDirection |
CEF |
This field stores a description of the connection direction from the raw event. |
DeviceDnsDomain |
CEF |
The DNS domain part of the complete fully qualified domain name (FQDN) of the asset IP address from which the raw event was received. |
DeviceExternalID |
CEF |
External unique asset (product) ID, if it is communicated in the raw event. |
DeviceFacility |
CEF |
Facility from the raw event, if one exists. For example, the Facility field in the Syslog can be used to transmit the OS component name where an error occurred. |
DeviceInboundInterface |
CEF |
Name of the incoming connection interface. |
DeviceNtDomain |
CEF |
Windows Domain Name of the asset |
DeviceOutboundInterface |
CEF |
Name of the outgoing connection interface. |
DevicePayloadID |
CEF |
The payload's unique ID associated with the raw event. |
DeviceProcessName |
CEF |
Name of the process from the raw event |
DeviceTranslatedAddress |
CEF |
Retranslated IP address of the asset from which the raw event was received. |
DestinationHostName |
CEF |
Host name of the traffic receiver. FQDN of the traffic recipient, if available. This is used to process network traffic logs in which you need to be able to distinguish between the source and destination. |
DestinationMacAddress |
CEF |
MAC address of the traffic recipient asset. This is used to process network traffic logs in which you need to be able to distinguish between the source and destination. |
DestinationNtDomain |
CEF |
Windows Domain Name of the traffic recipient asset. |
DestinationProcessID |
CEF |
ID of the system process that is associated with the traffic recipient in the raw event. For example, if Process ID 105 is specified in the event, then DestinationProcessId=105 This is used to process network traffic logs in which you need to be able to distinguish between the source and destination. |
DestinationUserPrivileges |
CEF |
Names of security roles that identify user privileges at the destination. For example, "User", "Guest", "Administrator", etc. This is used to process network traffic logs in which you need to be able to distinguish between the source and destination. |
DestinationProcessName |
CEF |
Name of the system process at the destination. For example, "sshd", "telnet", etc. This is used to process network traffic logs in which you need to be able to distinguish between the source and destination. |
DestinationPort |
CEF |
Port number at the destination. This is used to process network traffic logs in which you need to be able to distinguish between the source and destination. |
DestinationAddress |
CEF |
Destination IPv4 address. This is used to process network traffic logs in which you need to be able to distinguish between the source and destination. |
DeviceTimeZone |
CEF |
Time zone of the asset where the event was generated |
DestinationUserID |
CEF |
User name at the destination. This is used to process network traffic logs in which you need to be able to distinguish between the source and destination. |
DestinationUserName |
CEF |
User name at the destination. It may contain the email address of the user. This is used to process network traffic logs in which you need to be able to distinguish between the source and destination. |
DeviceAddress |
CEF |
IPv4 address of the asset from which the event was received. |
DeviceHostName |
CEF |
Name of the asset host from which the event was received. FQDN of the asset, if available. |
DeviceMacAddress |
CEF |
MAC address of the asset from which the event was received. FQDN of the asset, if available. |
DeviceProcessID |
CEF |
ID of the system process on the asset that generated the event. |
EndTime |
CEF |
Timestamp when the event was terminated.. |
ExternalID |
CEF |
ID of the asset that generated the event. |
FileCreateTime |
CEF |
Time of file creation from the event. |
FileHash |
CEF |
Hash of file |
FileID |
CEF |
File ID, if one exists |
FileModificationTime |
CEF |
Time of last edit of the file |
FilePath |
CEF |
File path, including the filename |
FilePermission |
CEF |
List of file permissions. |
FileType |
CEF |
File type. For example, application, pipe, socket, etc. |
FlexDate1 |
CEF |
Field for mapping the Timestamp type value that cannot be mapped to any other data model element. The field is customizable. |
FlexDate1Label |
CEF |
Field for describing the purpose of the flexDate1Label field. |
FlexString1 |
CEF |
Field for mapping the String type value that cannot be mapped to any other data model element. The field is customizable. |
FlexString1Label |
CEF |
Field for describing the purpose of the flexString1Label field. |
FlexString2 |
CEF |
Field for mapping the String type value that cannot be mapped to any other data model element. The field is customizable. |
FlexString2Label |
CEF |
Field for describing the purpose of the flexString2Label field. |
FlexNumber1 |
CEF |
Field for mapping the integer type that cannot be mapped to any other data model element. The field is customizable. |
FlexNumber1Label |
CEF |
Field for describing the purpose of the flexNumber1Label field. |
FlexNumber2 |
CEF |
Field for mapping the integer type that cannot be mapped to any other data model element. The field is customizable. |
FlexNumber2Label |
CEF |
Field for describing the purpose of the flexNumber2Label field. |
FileName |
CEF |
Filename without specifying the file path. |
FileSize |
CEF |
File size |
BytesIn |
CEF |
Number of obtained bytes that were received from the source and transmitted to the destination. This is used to process network traffic logs in which you need to be able to distinguish between the source and destination. |
Message |
CEF |
Short name of the error (problem) from the event. |
OldFileCreateTime |
CEF |
Time of the old file creation from the event. |
OldFileHash |
CEF |
Hash of the old file |
OldFileID |
CEF |
ID of the old file, if one exists. |
OldFileModificationTime |
CEF |
Time when the old file was changed last |
OldFileName |
CEF |
Name of the old file (without a file path) |
OldFilePath |
CEF |
Path to the old file, including the filename |
OldFilePermission |
CEF |
List of the old file permissions. |
OldFileSize |
CEF |
Size of the old file |
OldFileType |
CEF |
File type. For example, application, pipe, socket, etc. |
BytesOut |
CEF |
Number of sent bytes. This is used to process network traffic logs in which you need to be able to distinguish between the source and destination. |
EventOutcome |
CEF |
Result of the Action execution. For example, "success", "failure". |
TransportProtocol |
CEF |
Protocol name of the 4 level OSI (TCP, UDP, etc.) |
Reason |
CEF |
Short description of the audit reason in the audit messages. |
RequestUrl |
CEF |
Requested URL |
RequestClientApplication |
CEF |
User Agent that processed the Request |
RequestContext |
CEF |
Description of the Request context |
RequestCookies |
CEF |
Cookies related to the Request |
RequestMethod |
CEF |
Method that was used to access the URL (POST, GET, etc.) |
DeviceReceiptTime |
CEF |
Time when the event was received |
SourceHostName |
CEF |
Name of the host of the traffic source. FQDN of the traffic source, if available. This is used to process network traffic logs in which you need to be able to distinguish between the source and destination. |
SourceDnsDomain |
CEF |
Windows Domain Name of the traffic source asset. |
SourceServiceName |
CEF |
Name of the service at the traffic source. For example, "sshd". This is used to process network traffic logs in which you need to be able to distinguish between the source and destination. |
SourceTranslatedAddress |
CEF |
Source translated IPv4 address. This is used to process network traffic logs in which you need to be able to distinguish between the source and destination. |
SourceTranslatedPort |
CEF |
Number of the translated port at the source. This is used to process network traffic logs in which you need to be able to distinguish between the source and destination. |
SourceMacAddress |
CEF |
MAC address of the traffic source asset. This is used to process network traffic logs in which you need to be able to distinguish between the source and destination. |
SourceNtDomain |
CEF |
Windows Domain Name of the traffic source asset. This is used to process network traffic logs in which you need to be able to distinguish between the source and destination. |
SourceProcessID |
CEF |
System process ID that is associated with the traffic source in the raw event. For example, if Process ID 105 is specified in the event, SourceProcessId=105 This is used to process network traffic logs in which you need to be able to distinguish between the source and destination. |
SourceUserPrivileges |
CEF |
Names of security roles that identify user privileges at the source. For example, "User", "Guest", "Administrator", etc. This is used to process network traffic logs in which you need to be able to distinguish between the source and destination. |
SourceProcessName |
CEF |
Name of the system process at the source. For example, "sshd", "telnet", etc. This is used to process network traffic logs in which you need to be able to distinguish between the source and destination. |
SourcePort |
CEF |
Port number at the source. This is used to process network traffic logs in which you need to be able to distinguish between the source and destination. |
SourceAddress |
CEF |
Source IPv4 address. This is used to process network traffic logs in which you need to be able to distinguish between the source and destination. |
StartTime |
CEF |
Timestamp of the action associated with the event began. |
SourceUserID |
CEF |
User ID at the source. This is used to process network traffic logs in which you need to be able to distinguish between the source and destination. |
SourceUserName |
CEF |
User name at the source. It may contain the email address of the user. This is used to process network traffic logs in which you need to be able to distinguish between the source and destination. |
Type |
CEF |
The following values are available:
|
CorrelationBucketHash |
CEF |
Correlation Bucket key. Correlation event fields are used when generating a key. Used when generating notifications for the user. |
GroupedBy |
CEF |
List of names of the fields that were used for grouping in the correlation rule. It is filled in only for the correlation event. |
tenantID |
CEF |
Tenant ID |